6.11.2 npm ci installs package with wrong permissions

What I Wanted to Do

Our Jenkins server runs npm ci, creates an artifact and deploys it to AWS Lamba and all is well.

What Happened Instead

Our jenkins server runs npm ci with the latest npm (6.11.2), creates an artificat and deploys it. Because of this version, suddenly a service broke in our back-end because it could not read a node module, it didn’t have access to do it. So I looked into the permissions of all the files in the node_modules, and one package, a dependency of puppeteer, had incorrect permissions. The permissions were 640 instead of 644. Doing a manual chmod 644 on that module fixed the issue but I wanted to know the root cause of this.

-rw-r-----   1 sam  staff     35 Feb 18  2016 .jscsrc
-rw-r-----   1 sam  staff    238 Feb 21  2016 .jshintrc
-rw-r-----   1 sam  staff     30 Feb 21  2016 .npmignore
-rw-r-----   1 sam  staff    327 Feb 21  2016 .travis.yml
-rw-r-----   1 sam  staff   5270 Oct 17  2016 README.md
-rw-r-----   1 sam  staff   3219 Oct 17  2016 index.js
-rw-r-----   1 sam  staff   1162 Feb 24  2017 package.json
-rw-r-----   1 sam  staff  14078 Oct 17  2016 test.js

When I downgrade to npm@6.10.3, the issue is resolved and the permissions are correct.

-rw-r--r--   1 sam  staff     35 Feb 18  2016 .jscsrc
-rw-r--r--   1 sam  staff    238 Feb 21  2016 .jshintrc
-rw-r--r--   1 sam  staff     30 Feb 21  2016 .npmignore
-rw-r--r--   1 sam  staff    327 Feb 21  2016 .travis.yml
-rw-r--r--   1 sam  staff   5270 Oct 17  2016 README.md
-rw-r--r--   1 sam  staff   3219 Oct 17  2016 index.js
-rw-r--r--   1 sam  staff   1852 Aug 27 09:30 package.json
-rw-r--r--   1 sam  staff  14078 Oct 17  2016 test.js

This only happens with npm ci, not with a npm install command.

Reproduction Steps

Make sure you install npm@6.11.2 and run the following command in an empty directory

npm init -y \
	&& npm install puppeteer-core \
	&& ls -la node_modules/proxy-from-env \
	&& rm -rf node_modules/ \
	&& npm ci \
	&& ls -la node_modules/proxy-from-env

The image below shows a part of the output. The above permissions are after running npm install, the permissions at the bottom are after removing node_modules and running npm ci.

Platform Info

$ npm --versions
{ 'perm-issue': '1.0.0',
  npm: '6.11.2',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.12',
  zlib: '1.2.11' }

$ node -p process.platform
darwin

I’m having this exact same issue on our jenkins server. Any luck resolving? I’m about ready to add a chmod -R 644 node_modules to the config…

We noticed it on our Jenkins server as well but I can easily reproduce it locally… I downgraded to npm@6.10.3 and it resolved the issue.

1 Like

Thanks. I’ll do the same and watch this thread in case a fix is released.

I believe this is fixed on 6.11.3.

Just tested and indeed it works!

1 Like